Flexera Policy Templates

This repository contains a library of open source Flexera Policy Templates. All contributions are shared under the MIT license.

Contributions

Those who wish to contribute to this repository should review the Contribution Guide and Catalog Style Guide to ensure that their contributions follow the expected flow and meet the necessary standards.

Released Policy Templates

Categories

• Optimization
• Compliance
• Cost
• Operational
• SaaS Management
• Security

Policy Templates for Optimization

These templates can generate savings estimates for your environment. The incidents they raise are scraped for recommendations for the Cost Optimization section of Flexera One.

AWS

• All

  • AWS Resources Under Extended Support

• Compute

  • AWS Reserved Instances Recommendations
  • AWS Rightsize EC2 Instances
  • AWS Savings Plan Recommendations
  • AWS Superseded EBS Volumes
  • AWS Superseded EC2 Instances
  • AWS Unused IP Addresses
  • Turbonomic Allocate Virtual Machine Recommendations AWS
  • Turbonomic Rightsize Virtual Machines Recommendations AWS

• Database

  • AWS Rightsize ElastiCache
  • AWS Rightsize Redshift

• EBS

  • AWS Rightsize EBS Volumes

• Network

  • AWS Idle NAT Gateways
  • AWS Unused Application Load Balancers
  • AWS Unused Classic Load Balancers
  • AWS Unused Network Load Balancers

• RDS

  • AWS Rightsize RDS Instances

• Storage

  • AWS Old Snapshots
  • Turbonomic Delete Unattached Volumes Recommendations AWS

• Usage Discount

  • Turbonomic Buy Reserved Instances Recommendations AWS
  • Turbonomic Rightsize Databases Recommendations AWS
  • Turbonomic Rightsize Virtual Volumes Recommendations AWS

Azure

• Compute

  • Azure Hybrid Use Benefit for Windows Server
  • Azure Long Stopped Compute Instances
  • Azure Reserved Instances Recommendations
  • Azure Rightsize Compute Instances
  • Azure Savings Plan Recommendations
  • Azure Superseded Compute Instances
  • Azure Unused IP Addresses
  • Turbonomic Allocate Virtual Machine Recommendations Azure
  • Turbonomic Rightsize Virtual Machines Recommendations Azure

• Databricks

  • Azure Databricks Rightsize Compute Instances

• Managed Disks

  • Azure Rightsize Managed Disks

• MySQL

  • Azure Rightsize MySQL Flexible Servers
  • Azure Rightsize MySQL Single Servers

• NetApp Files

  • Azure Rightsize NetApp Resources

• Network

  • Azure Unused Firewalls
  • Azure Unused Load Balancers

• PaaS

  • Azure Unused App Service Plans

• SQL

  • Azure Rightsize SQL Database Storage
  • Azure Rightsize SQL Databases
  • Azure Rightsize SQL Managed Instance Storage
  • Azure Rightsize SQL Managed Instances
  • Azure Rightsize Synapse SQL Pools

• Storage

  • Azure Old Snapshots
  • Azure Unused Volumes
  • Turbonomic Delete Unattached Volumes Recommendations Azure

• Storage Accounts

  • Azure Data Lake Optimization

• Usage Discount

  • Turbonomic Buy Reserved Instances Recommendations Azure
  • Turbonomic Rightsize Databases Recommendations Azure
  • Turbonomic Rightsize Virtual Volumes Recommendations Azure

Flexera

• Kubernetes

  • Kubernetes - Rightsizing Recommendations

• Spot Security

  • Spot Security - Compliance Report

Google

• Compute

  • Google Committed Use Discount Recommender
  • Google Idle IP Address Recommender
  • Google Rightsize Cloud SQL Recommender
  • Google Rightsize VM Recommender
  • Turbonomic Allocate Virtual Machine Recommendations Google
  • Turbonomic Rightsize Virtual Machines Recommendations Google

• Storage

  • Google Idle Persistent Disk Recommender
  • Google Old Snapshots
  • Turbonomic Delete Unattached Volumes Recommendations Google

Kubecost

• Kubernetes

  • Kubecost Cluster Rightsizing Recommendation
  • Kubecost Container Request Rightsizing Recommendations

Policy Templates for Compliance

AWS

• Compute

  • AWS Disallowed Regions
  • AWS EC2 Instances not running FlexNet Inventory Agent
  • AWS Long Stopped EC2 Instances
  • AWS Untagged Resources
  • AWS Unused ECS Clusters

• Identity & Access Management

  • AWS IAM Role Audit

• Organization

  • AWS Accounts Missing Service Control Policies

• RDS

  • AWS RDS Instances With Unapproved Backup Settings

Azure

• All

  • Azure Advisor Carbon Reduction Recommendations

• Compute

  • Azure AHUB Utilization with Manual Entry
  • Azure Disallowed Regions
  • Azure Instances not running FlexNet Inventory Agent
  • Azure Untagged Resources
  • Azure Untagged Virtual Machines

• Identity & Access Management

  • Azure Policy Audit

• N/A

  • Azure Regulatory Compliance

Flexera

• Cloud Cost Optimization

  • Billing Center Access Report

• IT Asset Management

  • ITAM Expiring Licenses
  • ITAM Ignored Recent Inventory Dates
  • ITAM Missing Active Machines
  • ITAM Overused Licenses
  • ITAM VMs Missing Host ID

• Identity & Access Management

  • Flexera Users With Explicit Roles

GitHub

• Git

  • GitHub Available Seats
  • GitHub Repositories Without Admin Team
  • GitHub Repository Branches Without Protection
  • GitHub Undersized Repositories
  • GitHub Unpermitted Outside Collaborators
  • GitHub Unpermitted Repository Names
  • GitHub Unpermitted Top-Level Teams

Google

• Compute

  • Google Long Stopped VM Instances
  • Google Unlabeled Resources

Policy Templates for Cost

AWS

• All

  • AWS Cheaper Regions

• CloudTrail

  • AWS CloudTrails With Read Logging Enabled

• Compute

  • AWS Burstable EC2 Instances
  • AWS EC2 Instances Time Stopped Report
  • AWS EKS Clusters Without Spot Instances
  • AWS Expiring Reserved Instances
  • AWS Expiring Savings Plans
  • AWS Reserved Instances Coverage
  • AWS Reserved Instances Utilization
  • AWS Savings Plan Utilization
  • AWS Savings Realized From Rate Reduction Purchases
  • AWS Schedule Instance

• Marketplace

  • AWS New Marketplace Products

• Storage

  • AWS Oversized S3 Buckets
  • AWS S3 Buckets Without Intelligent Tiering
  • AWS S3 Buckets Without Lifecycle Configuration
  • AWS S3 Incomplete Multi-Part Uploads

Azure

• All

  • Azure Cheaper Regions

• Compute

  • Azure Compute Instances Time Powered Off Report
  • Azure Expiring Reserved Instances
  • Azure Expiring Savings Plans
  • Azure Hybrid Use Benefit for Linux Server
  • Azure Reserved Instances Utilization
  • Azure Reserved Instances Utilization MCA
  • Azure Savings Plan Utilization
  • Azure Savings Realized from Reservations
  • Azure Schedule Instance

• Marketplace

  • Azure New Marketplace Products

• Network

  • Azure Unused Virtual Network Gateways

• PaaS

  • Azure Web Apps With Unoptimized Scaling

• SQL

  • Azure Hybrid Use Benefit for SQL
  • Azure SQL Servers Without Elastic Pools

• Storage Accounts

  • Azure Storage Accounts without Lifecycle Management Policies

Azure China

• Common Bill Ingestion

  • Azure China Common Bill Ingestion

Flexera

• Cloud Cost Optimization

  • Budget Alerts
  • Budget vs Actual Spend Report
  • Cloud Cost Anomaly Alerts
  • Cloud Spend Forecast - Straight-Line
  • Cloud Spend Moving Average Report
  • Currency Conversion
  • Email Cost Optimization Recommendations
  • Flexera FOCUS Report
  • Low Usage Report
  • New Usage
  • Scheduled Report
  • Scheduled Report for Unallocated Costs
  • Vendor Spend Commitment Forecast

• Common Bill Ingestion

  • Common Bill Ingestion from AWS S3 Object Storage
  • Common Bill Ingestion from Azure Blob Storage
  • Fixed Cost Common Bill Ingestion

• Spot Eco

  • Spot Eco - Commitment Source Dimension

Google

• All

  • Google Cheaper Regions
  • Google Recommenders

• Compute

  • Google Committed Use Discount Report
  • Google Expiring Committed Use Discounts (CUD)
  • Google Schedule Instance

• Storage

  • Google Cloud Storage Without Lifecycle Configuration

Oracle

• Common Bill Ingestion

  • Oracle Cloud Common Bill Ingestion

Policy Templates for Operational

AWS

• Compute

  • AWS Long Running Instances
  • AWS Overutilized EC2 Instances
  • AWS Scheduled EC2 Events
  • AWS Usage Forecast - Instance Time Used
  • AWS Usage Report - Instance Time Used

• PaaS

  • AWS Lambda Functions With High Error Rate
  • AWS Lambda Functions Without Provisioned Concurrency

• Tags

  • AWS Tag Cardinality Report

Azure

• AKS

  • AKS Node Pools Without Autoscaling
  • AKS Node Pools Without Zero Autoscaling

• Compute

  • Azure Bring-Your-Own-License (BYOL) Report
  • Azure Long Running Instances
  • Azure Overutilized Compute Instances
  • Azure Usage Report - Instance Time Used
  • Azure VMs Not Using Managed Disks

• PaaS

  • Azure Expiring Certificates

• Tags

  • Azure Tag Cardinality Report

Flexera

• Automation

  • Applied Policy Template Errors
  • Flexera Automation Disallowed Credentials
  • Flexera Automation Expiring Credentials
  • Flexera Automation Outdated Applied Policies

• Cloud Cost Optimization

  • Cloud Bill Processing Error Notification
  • FinOps Dashboards

• FlexNet Manager

  • Schedule FlexNet Manager Report

• IT Asset Management

  • ITAM Asset Report
  • ITAM Installed Application Report
  • ITAM License Report
  • Schedule ITAM Report

• Identity & Access Management

  • Flexera One API Event Report
  • Flexera One User Access Report

• Kubernetes

  • Spot Ocean - Common Bill Ingest

• N/A

  • Flexera Billing Centers from Dimension Values

Google

• Compute

  • Google Overutilized VM Instances

• Tags

  • Google Label Cardinality Report

Policy Templates for SaaS Management

Flexera

• SaaS Manager

  • SaaS Manager - Deactivated Users
  • SaaS Manager - Deactivated Users for Integrated Applications
  • SaaS Manager - Duplicate User Accounts
  • SaaS Manager - Redundant Apps
  • SaaS Manager - Renewal Reminder
  • SaaS Manager - Suspicious Users
  • SaaS Manager - Unsanctioned Applications with Existing Contract
  • SaaS Manager - Unsanctioned Spend

Microsoft

• Office 365

  • Office 365 Security Alerts

Okta

• N/A

  • Okta Inactive Users

ServiceNow

• N/A

  • ServiceNow Inactive Approvers

Policy Templates for Security

AWS

• CloudTrail

  • AWS CloudTrail Not Enabled In All Regions
  • AWS CloudTrail S3 Buckets Without Access Logging
  • AWS CloudTrails Not Integrated With CloudWatch
  • AWS CloudTrails Without Encrypted Logs
  • AWS CloudTrails Without Log File Validation Enabled
  • AWS CloudTrails Without Object-level Events Logging Enabled
  • AWS Publicly Accessible CloudTrail S3 Buckets

• Config

  • AWS Regions Without Config Fully Enabled

• DBS

  • AWS Regions Without Default EBS Encryption

• EBS

  • AWS Unencrypted EBS Volumes

• Identity & Access Management

  • AWS IAM Account Missing Support Role
  • AWS IAM Attached Admin Policies
  • AWS IAM Expired SSL/TLS Certificates
  • AWS IAM Insufficient Required Password Length
  • AWS IAM Password Policy Not Restricting Password Reuse
  • AWS IAM Root Account Access Keys
  • AWS IAM Root User Account Without Hardware MFA
  • AWS IAM Root User Account Without MFA
  • AWS IAM Root User Doing Everyday Tasks
  • AWS IAM User Accounts Without MFA
  • AWS IAM Users With Directly-Attached Policies
  • AWS IAM Users With Multiple Active Access Keys
  • AWS IAM Users With Old Access Keys
  • AWS Regions Without Access Analyzer Enabled
  • AWS Unused IAM Credentials

• KMS

  • AWS Customer Managed Keys (CMKs) Without Rotation Enabled

• Network

  • AWS Elastic Load Balancers With Unencrypted Listeners
  • AWS Internet-Accessible Elastic Load Balancers
  • AWS VPCs Without FlowLogs Enabled

• RDS

  • AWS Publicly Accessible RDS Instances
  • AWS Unencrypted RDS Instances

• S3

  • AWS Open S3 Buckets

• Storage

  • AWS S3 Buckets Accepting HTTP Requests
  • AWS S3 Buckets Without Default Encryption Configuration
  • AWS S3 Buckets Without MFA Delete Enabled
  • AWS S3 Buckets Without Public Access Blocked
  • AWS S3 Buckets Without Server Access Logging

Azure

• App Service

  • Azure Web Apps Without Secure TLS

• Identity & Access Management

  • Azure Guest Users
  • Azure Subscriptions Without Log Analytics Auto-Provisioning

• MySQL

  • Azure MySQL Flexible Servers Without Secure TLS
  • Azure MySQL Servers Without Enforced SSL

• Network Security Group

  • Azure Network Security Groups With Inbound RDP Open
  • Azure Network Security Groups With Inbound SSH Open

• PostgreSQL

  • Azure PostgreSQL Servers With Bad Log Settings
  • Azure PostgreSQL Servers With Insufficient Log Retention
  • Azure PostgreSQL Servers Without Connection Throttling
  • Azure PostgreSQL Servers Without Infrastructure Encryption

• SQL

  • Azure Publicly-Accessible SQL Managed Instances
  • Azure SQL Databases Without Encryption
  • Azure SQL Servers Vulnerability Assessment Does Not Notify Admins
  • Azure SQL Servers Vulnerability Assessment Without Email Notifications
  • Azure SQL Servers Vulnerability Assessment Without Periodic Scans
  • Azure SQL Servers With Insufficient Auditing Retention
  • Azure SQL Servers Without Active Directory Admin
  • Azure SQL Servers Without Advanced Threat Protection (ATP)
  • Azure SQL Servers Without Auditing Enabled
  • Azure SQL Servers Without Vulnerability Assessment (VA) Enabled

• Security

  • Azure Subscriptions Without High Severity Alerts
  • Azure Subscriptions Without Owner Security Alerts
  • Azure Subscriptions Without Security Contact Email

• Storage

  • Azure Blob Storage Accounts Without Logging Enabled
  • Azure Blob Storage Accounts Without Soft Delete Enabled
  • Azure Publicly-Accessible Blob Containers
  • Azure Queue Storage Accounts Without Logging Enabled
  • Azure Storage Accounts Allowing Default Network Access
  • Azure Storage Accounts Without Secure TLS
  • Azure Storage Accounts Without Secure Transfer
  • Azure Storage Accounts Without Trusted Microsoft Services Access
  • Azure Table Storage Accounts Without Logging Enabled

Google

• Storage

  • Google Open Buckets

Tools

• Flexera Automation CloudFormation Template
• fpt Command Line Tool

Policy Data Sets

Some policies require external data sets to function. These data sets are stored in the data directory. The following data sets are available:

• Flexera IAM Roles
• AWS Regions
• AWS EC2 Instance Types
• AWS ElastiCache Types
• AWS EC2 Pricing
• AWS RDS Pricing
• Azure Regions
• Azure VM Instance Types
• Azure SQL Service Tier Types
• Azure SQL Managed Instance Tier Types
• Azure VM Pricing
• Azure MD Pricing
• Azure DB Storage Pricing
• Azure SQL Managed Instance Storage Pricing
• Google Regions
• Google VM Instance Types
• Google VM Pricing
• Currency Reference
• TZ Database Timezone List

How To Upload

• Files with the extension .pt are policy templates that can be used in Flexera One.
• Select the desired policy template, click on the “Raw” button, and then right-click and choose “Save As” to save the file to your computer.
• To upload the template to your account, navigate over to the Templates page in the left navigation bar in Governance. Ensure you have the role to access policy management in RightScale. Learn More about Policy Access Control.
• Click the “Upload Policy Template” button in the account you wish to test the policy and follow the instructions to upload the template you just downloaded.

Policy Template Documentation

• Getting Started
• Reference Documentation
• Policy Template Language
• Policy Development Training
• Markdown Editor - Use this to test Markdown Syntax

Repository Documentation

• Contribution Guide
• Catalog Style Guide
• Troubleshooting Guide
• Meta Policies

Getting Help

Before reaching out for help, please make use of the Troubleshooting Guide to diagnose the issue. Many issues have simple, straight-forward resolutions.

Contacting Support

For most issues that you're unable to diagnose/resolve, it is recommended that you contact support via the Flexera Community.

Opening an Issue

If you're experiencing an issue that you are fairly certain is a bug with the policy template itself, please raise an Issue and include as much detail about the issue as you can. Note that, if investigation shows an issue with the Flexera platform or with the local configuration/usage of the policy template rather than a problem with the policy template itself, you will be directed to contact support via the Flexera Community.